Module 1 - Introduciton to Ethical Hacking

Elements of Information Security (EIS)

(Confidentiality -> Integrity - > Availability) -> Authenticity -> Non-repudiation

3. Close-in Attacks (Classification of Attacks)

-Performed when the attacker is in close physical proximity with the target system or network in order to gather, modify, or DISRUPT ACCESS to information -Examples include social engineering such as eavesdropping, shoulder surfing, and dumpster diving

ARP Request Replay

Wait for an ARP packet Capture it, replay it (transmit it) This causes the AP to produce another packet with a new IV Keep doing this till we have enough IVs to crack the key

Confidentiality (EIS)

Assurance tha the information is accessible only to those AUTHORIZED TO HAVE ACCESS

1. Passive Attacks (Classification of Attacks)

- Do not tamper with the data and involve intercepting and MONITORING NETWORK TRAFFICE and data flow on the target network -Examples include sniffing and eavesdropping

2. Active Attacks (Classification of Attacks)

- Tamper with data in transit or DISRUPT THE COMMUNICATION or services between the systems to bypass or break into secured systems -Examples include DoS, Man in the Middle, session hijacking, and SQL injection

5. Distribution Attacks

-Attackers tamper with hardware or software prior to installation -Attackers tamper with hardware or software at its source or in transit

4. Insider Attacks (Classification of Attacks)

-Using privileged access to VIOLATE RULES or intentionally cause a threat to the organization's information or information systems -Examples include theft of physical devices and planting keyloggers, backdoors, and malware

Problem with WEP

IV sent to router via plaintext 24 bits is not big enough and IVs will start to repeat itself. Statistical attacks based off these repeats is possible so using aircrack-ng would be a tool

Defensive Information Warfare (PREPDAD)

Refers to all strategies adn actions designed to defend against attacks on ICT assets Prevention, Deterrence, Alerts, Detection, Emergency Preparedness, and Response

Techniques (TTPs)

TECHNICAL METHODS USED BY AN ATTACKER to achieve intermediate results during the attack. They include initial exploitation, setting up and maintaining command and control channels, accessing the target infrastructure, covering the tracks of data exfiltration, and others

1. Reconnaisance (CKC)

Gather data on the target to probe for weak points

5. Installation (CKC)

Install malware on the target system

ifconfig: ether

MAC address of the virtual interface

WPA vs WPA2

Nearly the same but both use different encryption methods WPA uses TKIP and the other uses CCMP

Hacking Phase 1: Reconnaissance

Prep phase that gathers information about a target prior to launching an attack More about the target is known on a broad scale Target range may be organization's clients, employees, operations, network, and systems

define PRGA

Pseudo Random Generation Algorithm refers to an algorithm that uses mathematical formulas to produce sequences of random numbers

Cyber Kill Chain (CKC) (7 Steps) WACRIDE

Reconnaissance -> Weaponization -> Delivery -> Exploitation -> Installation -> Command and Control -> Actions on Objectives

Offensive Information Warfare (SWWMM)

Refers to information warfare that invovles attacks against the ICT assets of an opponent Web application attacks, web server attacks, malware attacks, MITM attacks, system hacking

Authenticity (EIS)

Refers to teh characteristic of a communication, document, or any data that ensures the QUALITY OF BEING GENUINE Digital signatures fall in this category.

Launch packet sniffing

1. Change NIC to monitor mode 2. airodump-ng wlan0 (or name of wifi card listed on iwconfig) Columns explained ESSID - name of network BSSID - MAC of target network PWR - Signal strength or power network higher number is the more powerful Beacons - Sends a frame to broadcast existence #Data - Number of data packets sent out #/s - Number of data packets collected in past 10 seconds CH - channel working on MB - Max speed supported on network ENC - Encryption used by network (OPN means open) CIPHER - Method used by encryption AUTH - authentication used PSK is a preshared key 3. airodump-ng --band abg wlan0 (a is 5G and bg is 2.4)

Information Assurance Processes

1. Developing local policy, process, and guidance 2. Designing network and user authentication strategies 3. Identifying network vulnerabilities and threats 4. Identifying problem and resource requirements 5. Creating plans for identified resource requirements 6. Applying appropriate information assurance controls 7. Performing certification and accreditation 8. Providing information assurance training

Categories of Indicators of Compromise

1. Email Indicators 2. Network Indicators 3. Host-Based Indicators 4. Behavioral Indicators

Why change MAC addresses

1. Increase anonymity 2. Impersonate other devices 3. Bypass filters and connect to specific devices that only specific MACs have access to

Change MAC address linux cmds

1. ifconfig wlan0 down 2. ifconfig wlan0 hw ether 00:11:22:33:44:55 3. ifconfig wlan0 up 4. ifconfig These save to memory, so once you restart your computer, it will revert back to the original MAC

macchanger

1. ifconfig wlan0 down 2. macchanger -r wlan0 3. ifconfig wlan up

handshake packets

4 packets transferred between a client and a router handshake does not contain data to recover key; just data to check if key is valid or not 1. Monitor the target network 2. deauth someone

Non-Repudiation

A GUARANTEE that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message

Information Warfare

Use of information and communication technologies (ICT) to gain competitive advantages over an opponent

Ethical Hackers will try to answer the following questions

What can an intruder see on the target system (Recon and scanning) What can an intruder do with the that information (Gaining and maintaining access) Does anyone at the target organization's notice the intruder's attempts or successes (Recon and covering tracks) Are all components of the information system adequately protected, updated and patched How much time, effort and money are required to obtain adequate protection Are the information security measures in compliance with legal and industry standards Black hat hackers will avoid being noticed via proxies and anonymizers

Gray Hats

Work both offensively and defensively at various times

Scan wps networks

wash --interface wlan0

How do hackers hack?

They try various tools and attack techniques to EXPLOIT VULNERABILITIES in a computer system or its security policy and controls in order to fulfill their motives

Cyber Kill Chain Methodology

Component of intelligence-driven defense for the identification and PREVENTION of MALICIOUS INTRUSION ACTIVITIES

What is hacking

Conduct footprintring/recon, creating a map of the infrastructure, identifying technologies in use, identifying potential exploits and attack vectors Exploiting system vulnerabilities and compromising security controls to gain unauthorized access to system Modifying system or application features to achieve a goal outside of the creator's original purpose Steal or redistribute intellectual property, leading to business loss

Korek Chop Chop Attack

Cracking WEP Works with weak signals Determine packet key stream Forge new packet Inject it into the traffic

6. Command and Control (CKC)

Create a command and control channel to communication and pass data back and forth

2. Weaponization (CKC)

Create a deliverable malicious payload using an exploit and a backdoor

Reaver

Guesses pin on WPS ports reaver --bssid() --channel 1 --interface wlan0 -vvv --no-associate vvv reveals as much info as possible no associate prevents reaver from making associations because their associations are buggy use your own fakeauth Execute reaver first, then fake auth

Tactics (TTP)

Guidelines that describe the way an attacker performs the attack from the beginning to the end. Consists of the various tactics for information gathering to perform initial exploitation, privilege escalation, and lateral movement, and to deploy measures for persistent access to the system and other purposes

Hacking Phase 4: Maintaining Access

Hacker retains ownership of the system Attackers will prevent the system from being owned by other attackers by securing their exclusive access with backdoors, rootkits, or trojans Attackers can upload, download, or manipulate data, application, and configurations on the owned system Attackers use the compromised system to launch further attacks

Hacking Phase 5: Clearing Tracks

Hiding malicious acts Intentions include obtaining continuing access to the victim's system, remaining unnoticed and uncaught, and deleting evidence that might lead to their prosecution Attacker overwrites the server, system, and application logs to avoid suspicion Attackers always cover their track to hide their identity

Limitations of EH

If business knows what to look for and why they are hiring an EH, there is little to gain EH can only help organization better understand its security system, but it is up to organization to place the right safeguards on the network

Technical Skills of EH

In-depth knowledge of major operating environments ie windows, unix, linux, and macs Knowledge of networking concepts, technologies, and related hardware and software Computer expert adept at techincal domains Knowledge about security areas and related issues High technical knowledge for launching sophisticated attacks

List of Adversary Behaviors

Internal Reconnaissance Use of powershell Unspecified proxy activities Use of commond line interface Http user agent Command and control server Use of DNS tunneling Use of web shell Data staging

Adversary Behavioral Identification

Involves the IDENTIFICATION OF COMMON METHODS or techniques followed by an adversary to launch attacks on or to penetrate an organization's network. Gives security professional insights into upcoming threats and exploits

Information Assurance

Making sure integrity, availibility, confidentiality, and authenticity of information and information systejms are protected during the usage, processing, storage, and transmission of information

MAC Address

Media Access control address that is permanent, physical and unique assigned to network interfaces by the manufacturer. No two network devices have the same MAC address. IP is used to identify devices over the internet. The MAC address is used to identify devices within a network

Cyber terrorists

Motivated by religious or political beliefs to create fear through the large-scale disruption of computer networks

Attacks

Motive(Goal) + Method + Vulnerability

Tactics, Techniques, and Procedures (TTPs)

PATTERNS OF ACTIVITIES AND METHODS associated with specific threat actors or groups of threat actors

7. Actions on Objectives (CKC)

Perform actions to achieve intedned objectives/goals

Ethical Hacking

Permission and intent Use of hacking tools, tricks, and techinques to identify vulnerabilities and ensure system security Focuses on simulating the techniques used by attacked to verify the existence of exploitable vulnerabilities in a system's security Perform security assessments for an organization with the permission of concerned authorities

Hacking Phase 3: Gaining Access

Point where the attacker obtains access to the operating system or applicaitons on the target computer or network Access can be gained at operating system, application, or network levels Attacker can escalate privileges to obtain complete control of the system. In this process, the attacker's intermediate systems are compromised as well Examples are password cracking, buffer overflows, DOS, and session hijacking

Hacking Phase 2: Scanning

Pre attack where attacker scans the network for specific information based on information gathered during the recon Use of dialers, port scanners, network mappers, ping tools, and vulnerability scanner Extract information such as live machines, port, port status, OS details, device type, and system uptime to launch attack

Reasons why organizations recruit ethical hackers

Prevent hackers from gaining access Uncover vulnerabilities in systems and explore security risk potential Strengthen an organization's security posture - policies, network protection infrastructure, and end-user practices Avoid security breaches Safeguard customer data Enhance security awareness at all levels

Procedures (TTPs)

Procedures are organizational approaches that threat actors follow to launch an attack. The number of actions usually differs depending on the objectives of the procedure and the threat actor group

Hacktivists

Promote a political agneda by hacking, especially by defacing or disabling websites

Cyber Kill Chain Insights

Provides insights into attack phases, which helps security professionals to understand the adversary's tactics, techniques, and procedures beforehand

3. Delivery (CKC)

Send weaponized bundle to the victim using email, USB, Etc.

What MAC info does a packet contain

Source MAC Destination MAC

Motive

The TARGET SYSTEM STORES OR PROCESSES something valuable, and this leads to the threat of an attack on the system

Integrity (EIS)

The TRUSTWORTHINESS OF DATA OR RESOURCES in terms of preventing improper or unauthorized changes. Hashing algorithms fall in this category

Passive Recon

Acquiring information without directly interacting with the target - searching public records or news releases Youre not detectable

ARP packet

Address Resolution Protocol A communication protocl used for discovering the link layer address or MAC address

Suicide Hackers

Aim to bring down the critical infrastructure for a "cause" and are not worried about facing jail terms

Why is Ethical Hacking Necessary

Allows for counter attacks against malicious hackers by anticipating the methods to break into a system

Availibility (EIS)

Assurance that the systems responsible for delivering, storing, and processing information are accessible when REQUIRED BY THE AUTHORIZED USERS

Script Kiddies

Unskilled hacker who compromises a system by running scripts, tools and software that were developed by real hackers

White Hats

Use skills for defensive purposes and are also known as security analysts. They have permission from system owner

4. Behavioral Indicators

Used to identify specific behavior related to malicious activities and include a document executing a Powershell script and remote command execution.

1 . Email Indicators (IOC)

Used to send malicious data to the target organization or individual such as senders email address, email subject, and attachments or links

2. Network Indicators (IOC)

Useful for command and control, malware delivery, identifying the operating system, and other tasks and include URLs, domain names, and IP addresses

Creating a wordlist

crunch [min] [max] [characters] -t[pattern] -o [Filename] Example: crunch 6 8 123abc$ -o wordlist -t a@@@@b

Steps to change to monitor mode

iwconfig (to check mode) ifconfig wlan0 down airmon-ng check kill (will kill process that connects to internet, but thats ok, internet not needed for preconn attacks) iwconfig wlan0 mode monitor ifconfig wlan0 up

Arpreplay Attack command

airplay-ng --arpreplay -b CC:40:D0:C5:38:93 -h 1E:4D:40:4F:CD:83 (thats your wireless adapter) wlan0

Information Security

A state of well-being of information and infrastructure in which the possibility of THEFT, TAMPERING and DISRUPTION OF INFORMATION AND SERVICES is low or tolerable

Non-technical Skills of EH

Ability to learn and adopt new tech quickly Strong work ethics and good problem solving and communication skills Committed to the organization's security policies An awareness of the local standards and laws

Indicators of Compromise

CLUES, ARTIFACTS and PIECES of FORENSIC DATA found on the network or operating system of an orgniazation that dictates intrusion or malicious activity on organizations infrastructure. IOCs are not intelligence by act as good source of information regarding the threats that serve as data points in the intelligence process Security Professionals need to PERFORM CONTINUOUS monitoring of IoCs to effectively and efficiently detect and respond to evolving cyber threats

Capturing packets within range

Can be done even if your MAC isnt the destination MAC. To do this, we change the operation of wireless interface to monitor mode. Default mode is managed which means it will only capture packets whose Destination MAC matches its own

Built in wireless cards drawbacks

Cannot support monitor mode nor packet injections

WEP Cracking

Capture a large number of packets/IVS (airodump-ng) Analyze the captured IVs and crack the key (aircrack-ng) Command: aircrack-ng file.cap Result: It will reveal key

Active Recon

Directly interacting with the target by any means Youre detectable

State-Sponsored Hackers

Employed by governments to penetrate and gain top-secret information from and do damage to the infromation systems of other governments

ifconfig: eth0

Ethernet interface, used in Kali bc of Natnetwork

Scope of EH

Ethical hacking is a crucial component of risk assessment, auditing, counter fraud, and information systems security best practices Used to identify risks and highlight remedial actions. It also reduces ICTcosts by resolving vilnerabilities

4. Exploitation (CKC)

Exploit a vulnerability by executing code on the victim's system

Black Hats

Extraordinary computing skills resorting to malicious and destructive activities - crackers

Packet injection

Forcing the AP to generate IV (packets) so you can collect enough to crack password. You must associate with network first. It means you intend to communicate. This occurs mainly when you dont put in a password

3. Host-Based Indicators (IOC)

Found by performing an analysis of the infected system with the organizational framework and include filenames, file hashes, registry keys, DLLs and mutex

What is WPS

Wi-Fi Protected Setup, a one-touch Wi-Fi security protocol, used by printers to connect with 8 digit pin to connect to network without having to formally log on every time

WEP Encryption

Wired Equivalent Privacy Old encryption using RC4 algorithm Cracked easily, still used in some networks To send a packet, it will make a random initialization vector of 24 bits IV+Key(password) = Key stream Key stream transforms packet from gibberish to readable data

deauth command

aireplay-ng --deauth 100000000 -a (ROUTER MAC) -c (TARGET MAC) wlan0

Command to associate with a network

aireplay-ng --fakeauth 0 -a CC:40:D0:C5:38:93 -h 1E:4D:40:4F:CD:83 (thats your wireless adapter) wlan0 go to ifconfig to get network card mac the 0 means you will do it once

WPS attack

aireplay-ng --fakeauth 30 -a () -h () wlan0 Request association every 30 seconds

Target Packet Sniffing Explained

airodump-ng --bssid 00:11:22:33:44: --channel 2 --write test wlan0 Columns explained: Station - clients connected Lost - Data packets lost Frames - number of packets captured Probe - If they are looking for a wifi

ifconfig: wlan0

Your wireless adapter